Hi Moemen,
On Tue, Nov 27, 2018 at 1:24 AM Moemen MHEDHBI <mmhed...@haproxy.com> wrote:
>
>
> On 11/14/18 1:34 AM, Igor Cicimov wrote:
>
> On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov <ig...@encompasscorporation.com>
> wrote:
>>
>> Hi,
>>
>> # haproxy -v
>> HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23
>> Copyright 2000-2018 Willy Tarreau <wi...@haproxy.org>
>>
>> I noticed that in case of multiple domains and OCSP setup:
>>
>> # ls -1 /etc/haproxy/ssl.d/*.ocsp
>> /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp
>> /etc/haproxy/ssl.d/star_domain_com.crt.ocsp
>> /etc/haproxy/ssl.d/star_domain3_com.crt.ocsp
>> /etc/haproxy/ssl.d/star_domain4_com.crt.ocsp
>>
>> I get OCSP response from haproxy only for one of the domains
>> domain.com. Tested via:
>>
>> $ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug
>> -status -servername domain[234].com
>>
>> Is this expected?
>
>
> Any comments/ideas regarding this? Further noticed that OCSP code probably
> does not check the certificates SANs and matches only based on the CN in the
> subject since the calls to whatever.domain.tld get stapled but to domain.tld
> do not.
>
> Hi Igor,
>
> Testing OCSP on multiple certificates with different domains (based on the
> CN) works correctly for me. (a.domain.com, b.domain.com, c.domain.com)
>
> Are you using multiple certs with same CN but different SANs ?
The certificates belong to completely separate domains, so not
subdomains of the same domain like in your case. They are also
wildcard certs so here is the layout:
# ls -1 /etc/haproxy/ssl.d/
star_domain1_com.crt
star_domain1_com.crt.ocsp
star_domain2_com.crt
star_domain2_com.crt.ocsp
star_domain3_com.crt
star_domain3_com.crt.ocsp
# for i in `ls -1 /etc/haproxy/ssl.d/*.crt`; do openssl x509 -noout
-subject -in $i; done
subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain2.com
subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain3.com
The SAN only contains the certificates domain and nothing else, for
example for domain3.com:
X509v3 Subject Alternative Name:
DNS:*.domain3.com, DNS:domain3.com
The haproxy bind line in the frontend looks like:
bind *:443 ssl crt /etc/haproxy/ssl.d/ ...
And here is the output of the daily cronjob that updates the OCSP for haproxy:
Date: Mon, 26 Nov 2018 05:00:01 +0000 (GMT)
/etc/haproxy/ssl.d/star_domain1_com.crt: good
This Update: Nov 25 17:39:11 2018 GMT
Next Update: Dec 2 16:54:11 2018 GMT
OCSP Response updated!
/etc/haproxy/ssl.d/star_domain2_com.crt: good
This Update: Nov 24 20:49:57 2018 GMT
Next Update: Dec 1 20:04:57 2018 GMT
OCSP Response updated!
/etc/haproxy/ssl.d/star_domain3_com.crt: good
This Update: Nov 25 14:09:00 2018 GMT
Next Update: Dec 2 13:24:00 2018 GMT
OCSP Response updated!
I can confirm this is working as intended on other serves I have with
1.7.11 and 1.8.14, so it must be something specific to this one that I
struggle to understand (to be even more confusing it is all being
setup by Ansible in same way as everywhere else).
Under what circumstances would a setup like this not work in terms of
OCSP? Example:
$ echo | openssl s_client -connect server:443 -tlsextdebug -status
-servername domain1.com | grep -E 'OCSP|domain1'
depth=0 C = AU, ST = New South Wales, L = Sydney, O = My Company, CN =
*.domain1.com
verify return:1
DONE
OCSP response: no response sent
0 s:/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
subject=/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com
Thanks for your input by the way, very much appreciated.
